[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

inferno at chromium.org inferno at chromium.org
Mon Feb 21 00:32:07 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit b1a6c04d2d7f7032fbaa743634193400dee115c6
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Feb 1 19:16:35 2011 +0000

    2011-01-31  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dan Bernstein.
    
            Tests that a removed svg style element is not accessed again in document's
            style recalc code and does not result in crash.
            https://bugs.webkit.org/show_bug.cgi?id=53441
    
            * fast/css/stylesheet-candidate-nodes-crash-expected.txt: Added.
            * fast/css/stylesheet-candidate-nodes-crash.xhtml: Added.
    2011-02-01  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dan Bernstein.
    
            Do not add a node in the document's stylesheet candidate node list if the
            node is already removed from document.
            https://bugs.webkit.org/show_bug.cgi?id=53441
    
            Test: fast/css/stylesheet-candidate-nodes-crash.xhtml
    
            * dom/Document.cpp:
            (WebCore::Document::addStyleSheetCandidateNode):
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77262 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c5059d8..e42869b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2011-01-31  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dan Bernstein.
+
+        Tests that a removed svg style element is not accessed again in document's
+        style recalc code and does not result in crash.
+        https://bugs.webkit.org/show_bug.cgi?id=53441
+
+        * fast/css/stylesheet-candidate-nodes-crash-expected.txt: Added.
+        * fast/css/stylesheet-candidate-nodes-crash.xhtml: Added.
+
 2011-02-01  Dimitri Glazkov  <dglazkov at chromium.org>
 
         More flakiness updates.
diff --git a/LayoutTests/fast/css/stylesheet-candidate-nodes-crash-expected.txt b/LayoutTests/fast/css/stylesheet-candidate-nodes-crash-expected.txt
new file mode 100644
index 0000000..4346ce6
--- /dev/null
+++ b/LayoutTests/fast/css/stylesheet-candidate-nodes-crash-expected.txt
@@ -0,0 +1,7 @@
+This page contains the following errors:
+
+error on line 29 at column 9: Comment not terminated 
+error on line 32 at column 1: Comment not terminated
+Below is a rendering of the page up to the first error.
+
+PASS
diff --git a/LayoutTests/fast/css/stylesheet-candidate-nodes-crash.xhtml b/LayoutTests/fast/css/stylesheet-candidate-nodes-crash.xhtml
new file mode 100644
index 0000000..d0ecff4
--- /dev/null
+++ b/LayoutTests/fast/css/stylesheet-candidate-nodes-crash.xhtml
@@ -0,0 +1,30 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:xht="http://www.w3.org/1999/xhtml">
+    <html xmlns="http://www.w3.org/1999/xhtml">
+        <body>
+            <script type="text/javascript">
+                if (window.layoutTestController)
+                {
+                    layoutTestController.dumpAsText();
+                    layoutTestController.waitUntilDone();
+                }
+                
+                function runTest()
+                {
+                    document.getElementsByTagNameNS('http://www.w3.org/1999/xhtml', 'style')[0];
+                    if (document.body)
+                        document.body.innerHTML = "PASS";
+                    
+                    if (window.layoutTestController)
+                        layoutTestController.notifyDone();
+                }
+            </script>
+            <svg:style>
+                <xht:caption>
+                    <xht:iframe onload="runTest();"></xht:iframe>             
+                    <style></style>
+                </xht:caption>
+            </svg:style>
+        </body>
+    </html>
+    <!----->
+</svg>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 9f8f153..09ed729 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2011-02-01  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dan Bernstein.
+
+        Do not add a node in the document's stylesheet candidate node list if the
+        node is already removed from document.
+        https://bugs.webkit.org/show_bug.cgi?id=53441
+
+        Test: fast/css/stylesheet-candidate-nodes-crash.xhtml
+
+        * dom/Document.cpp:
+        (WebCore::Document::addStyleSheetCandidateNode):
+
 2011-02-01  Dave Hyatt  <hyatt at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
index cb9a2ab..0f4f4c5 100644
--- a/Source/WebCore/dom/Document.cpp
+++ b/Source/WebCore/dom/Document.cpp
@@ -2893,6 +2893,9 @@ void Document::styleSelectorChanged(StyleSelectorUpdateFlag updateFlag)
 
 void Document::addStyleSheetCandidateNode(Node* node, bool createdByParser)
 {
+    if (!node->inDocument())
+        return;
+    
     // Until the <body> exists, we have no choice but to compare document positions,
     // since styles outside of the body and head continue to be shunted into the head
     // (and thus can shift to end up before dynamically added DOM content that is also

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list